[Zope] CoreSessionTracking: Brute-Forcing Web Application Session IDs

Frank Tegtmeyer fte@lightwerk.com
25 Nov 2001 09:18:13 +0100


--=-=-=

The following article also applies to CoreSessionTracking. CST uses a
timestamp and a value generated by the rhandom module.

While this is sufficient to avoid collisions it's not enough to defend
against brute force attacks like the ones describe in the appended
message.

Perhaps CoreSessionTracking should be switched to an algorithm that
was mentioned by Florent Guillaume (Nuxeo):

------------------------------------------------------------------------
From: Florent Guillaume <fg@nuxeo.com>
Subject: Re: [Zope] CoreSessionTracking-based LoginMethod for LoginManager
Date: 15 Aug 2001 17:07:11 GMT

> 1. Start with the data you want to store
> 2. Append identifying information, eg the IPs of the client and
>    server, and the current date/time.
> 3. Make a digest of this plus a secret string which only you know,
>    and append that as a fingerprint.

I rewrite you 3. as computing as a fingerprint:
        H(known-string || password).

This construction apparently still has some very slight cryptographic
weaknesses. Lifted from bugtraq sometime ago:

    From: Michael Wojcik <Michael.Wojcik@merant.com>
    Date: Mon, 16 Jul 2001 10:45:48 -0700

    Schneier cites a private communication with Bart Preneel (author of
    RIPE-MAC) on possible weaknesses of the obvious constructions

	    H(known-string || password)
	    H(password || known-string)
	    H(password || known-string || password)
	    H(password-1 || known-string || password-2)

    and suggests one of the following instead (rewritten as password
    hashes):

	    H(password-1 || H(password-2 || known-string))
	    H(password || H(password || known-string))   [ie. pw-1 == pw-2]
	    H(password || pad || known-string || password)
                                                     [pad pw to full block]

    The simplest of these, in terms of retrofitting existing systems
    that use one of the constructions Ishikawa mentions, is

	    H(password || H(password || known-string))


So I'd use that last one instead.

Florent Guillaume
Nuxeo
------------------------------------------------------------------------

The needed "secret" could be established by some means during the
installation of CoreSessionTracking without even bothering the
administrator.

Regards, Frank




--=-=-=
Content-Type: message/rfc822
Content-Disposition: inline

X-From-Line: maildir Tue Nov 13 17:44:45 2001
Return-Path: <bugtraq-return-2529-fte=lightwerk.com@securityfocus.com>
Delivered-To: fte@lightwerk.com
Received: (qmail 11773 invoked from network); 13 Nov 2001 16:36:17 -0000
Received: from unknown (HELO outgoing.securityfocus.com) (66.38.151.27)
  by dns.tegtmeyer.com with SMTP; 13 Nov 2001 16:36:17 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19])
	by outgoing.securityfocus.com (Postfix) with QMQP
	id 9833AA311E; Tue, 13 Nov 2001 09:30:38 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 28719 invoked from network); 13 Nov 2001 14:52:43 -0000
From: dendler@idefense.com
To: bugtraq@securityfocus.com, webappsec@securityfocus.com,
	pen-test@securityfocus.com, secpapers@securityfocus.com
Date: Tue, 13 Nov 2001 09:52:53 -0500
Subject: Brute-Forcing Web Application Session IDs
Message-ID: <3BF0ED75.4920.5548D03@localhost>
Lines: 19
Xref: westkapp.wb.lightwerk.com BUGTRAQ:2790
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Hello,

iDEFENSE Labs has released a paper entitled "Brute-Force
Exploitation of Web Application Session IDs." It covers the basics
of brute-forcing web applications through guessing or reverse
engineering state session IDs which are often used for
authentication purposes. Several examples are shown using some
familiar web sites and applications on how stealing or mimicking a
legitimate user's credentials is possible. All relevant vendors and
site administrators were informed responsibly before publication.

The paper is available at http://www.idefense.com/sessionids.html

David Endler
Director, iDEFENSE Labs
dendler@idefense.com
www.idefense.com



--=-=-=



-- 
CTO   fte@Lightwerk.com         http://www.Lightwerk.com/
Fax: +49-2434-80 07 94           Phone: +49-2434-80 07 81
Lightwerk GmbH * An der Kull 11 * 41844 Wegberg * Germany

--=-=-=--